Skip to content

fix(cli): redact access token from MCP auth status output#156

Closed
ch1lam wants to merge 8 commits into
XiaomiMiMo:mainfrom
ch1lam:fix/mcp-token-log-redaction
Closed

fix(cli): redact access token from MCP auth status output#156
ch1lam wants to merge 8 commits into
XiaomiMiMo:mainfrom
ch1lam:fix/mcp-token-log-redaction

Conversation

@ch1lam

@ch1lam ch1lam commented Jun 11, 2026

Copy link
Copy Markdown

Summary

  • Replace partial access token display with "present" in MCP auth status output
  • Prevents token leakage via screen recordings, terminal logs, or shoulder-surfing

Motivation

The mcp auth status command printed the first 20 characters of the OAuth access token. Even a partial token can be captured and potentially used. The refresh token was already displayed as just "present" — the access token should follow the same pattern.

Changes

// Before
prompts.log.info(`  Access token: ${entry.tokens.accessToken.substring(0, 20)}...`)

// After
prompts.log.info(`  Access token: present`)

Fixes #155

qiaozongming and others added 8 commits June 11, 2026 01:23
@qiaozongming
Initial open-source release of MiMo Code
7233b71
@qiaozongming
readme
4ef01a4
@ChuanfengZhang
docs: correct OpenCode repository URL in README files
251e207
@bwshen-mi
Update README
6ce77f0
@bwshen-mi
Merge pull request XiaomiMiMo#20 from ChuanfengZhang/main
9753077 
docs: correct OpenCode repository URL in README files
@qiaozongming
docs: update community group chat QR code
bc9546e
@qiaozongming
Merge pull request XiaomiMiMo#149 from XiaomiMiMo/chore/update-wechat…
e96727a 
…-qrcode

docs: update community group chat QR code
@ch1lam
fix(cli): redact access token from MCP auth status output
b2676aa 
The `mcp auth status` command printed the first 20 characters of the
OAuth access token to the terminal. Even a partial token can be captured
from screen recordings, terminal logs, or shoulder-surfing. Replace
with a simple "present" indicator, matching the refresh token display.
@qiaozongming qiaozongming force-pushed the main branch 4 times, most recently from 97aefc0 to ab53d06 Compare June 15, 2026 14:00
@MrRealORG MrRealORG mentioned this pull request Jun 16, 2026
Closed
@qiaozongming qiaozongming mentioned this pull request Jun 18, 2026
Closed
@qiaozongming

qiaozongming commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

#953

@qiaozongming qiaozongming mentioned this pull request Jun 18, 2026
Open
@qiaozongming

qiaozongming commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

#1108

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] MCP auth status prints partial access token to terminal

5 participants

@ch1lam @qiaozongming @Stole214 @ChuanfengZhang @bwshen-mi